LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-02-2007, 05:57 PM   #1
grpprod
LQ Newbie
 
Registered: Nov 2005
Posts: 13

Rep: Reputation: 0
Network Attack seems to ignore my iptables rules


Hi all,
one of my mail servers is currently under attack. I have set up a pretty decent iptables set (syn floods etc), but it seems that it cannot handle this particular one (although it looks like a SYN flood to me). In particular, as shown in the log, it manages to 'catch' it but for some reason it is unresponsive to its services (POP,IMAP,SMTP). I was wondering if someone could help me to deal with this situation. I hope I should be able to do something more than wait for it to finish.

Code:
May  3 01:46:00 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=28 ID=64164 PROTO=TCP SPT=55774 DPT=56124 WINDOW=4096 RES=0x00 SYN URGP=0 
May  3 01:46:02 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=25 ID=31025 PROTO=TCP SPT=55772 DPT=55118 WINDOW=2048 RES=0x00 SYN URGP=0 
May  3 01:46:02 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=22646 PROTO=TCP SPT=55774 DPT=25786 WINDOW=4096 RES=0x00 SYN URGP=0 
May  3 01:46:03 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=33630 PROTO=TCP SPT=55771 DPT=4154 WINDOW=4096 RES=0x00 SYN URGP=0 
May  3 01:46:05 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=13090 PROTO=TCP SPT=55771 DPT=48393 WINDOW=3072 RES=0x00 SYN URGP=0 
May  3 01:46:06 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=35 ID=60313 PROTO=TCP SPT=55774 DPT=17878 WINDOW=3072 RES=0x00 SYN URGP=0 
May  3 01:46:08 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=36 ID=3242 PROTO=TCP SPT=55772 DPT=23571 WINDOW=1024 RES=0x00 SYN URGP=0 
May  3 01:46:08 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=27 ID=23312 PROTO=TCP SPT=55774 DPT=35985 WINDOW=4096 RES=0x00 SYN URGP=0 
May  3 01:46:10 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=26 ID=32949 PROTO=TCP SPT=55772 DPT=33707 WINDOW=3072 RES=0x00 SYN URGP=0 
May  3 01:46:11 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=29 ID=48152 PROTO=TCP SPT=55770 DPT=1737 WINDOW=1024 RES=0x00 SYN URGP=0 
May  3 01:46:11 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=34 ID=4883 PROTO=TCP SPT=55772 DPT=65379 WINDOW=2048 RES=0x00 SYN URGP=0 
May  3 01:46:12 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=35 ID=29322 PROTO=TCP SPT=55774 DPT=59015 WINDOW=4096 RES=0x00 SYN URGP=0 
May  3 01:46:13 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=32 ID=10730 PROTO=TCP SPT=55771 DPT=10950 WINDOW=4096 RES=0x00 SYN URGP=0 
May  3 01:46:14 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=19 ID=33847 PROTO=TCP SPT=55773 DPT=7563 WINDOW=3072 RES=0x00 SYN URGP=0
 
Old 05-02-2007, 06:11 PM   #2
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Have you done “sysctl net.ipv4.tcp_syncookies=1”?
 
Old 05-02-2007, 06:49 PM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I wonder if one of the web servers they host is compromised.
Code:
------------------------------------------------------
Points of contact for Yandex LLC Network Operations
------------------------------------------------------
Routing and peering issues:  noc@yandex.net
SPAM issues:                 abuse@yandex.ru
Network security issues:     abuse@yandex.ru
Mail issues:                 postmaster@yandex.ru
General information:         info@yandex.ru
------------------------------------------------------
Although there main business is as a search engine.
 
Old 05-02-2007, 11:38 PM   #4
grpprod
LQ Newbie
 
Registered: Nov 2005
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by osor
Have you done “sysctl net.ipv4.tcp_syncookies=1”?
Yes,

Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
No luck. Any more suggestions?

Btw, this is something I don't get. Iptables seem to give me the opposite result from what I would expect. The machine is still able to serve clients when iptables is off, but it stops doing so when it is on (most probably due to connection limits being enforced). So what's the point of using it if -IN PRACTICE- the result is the exact opposite of the desired one?

Last edited by grpprod; 05-03-2007 at 12:54 AM.
 
Old 05-03-2007, 06:20 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
could we see the iptables rules you are using??

or at least the active config, like:
Code:
iptables -nvL

Last edited by win32sux; 05-03-2007 at 08:59 AM.
 
Old 05-04-2007, 11:29 PM   #6
grpprod
LQ Newbie
 
Registered: Nov 2005
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux
could we see the iptables rules you are using??

Okay, here are the rules I use to handle attacks:

Code:
                # Spoofed local IPs
                $IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
                $IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
                $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
                $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
                $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
                $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
 
                # SYN-floods
                $IPTABLES -N SYNFLOOD
                $IPTABLES -A INPUT -p tcp --syn -j SYNFLOOD
                $IPTABLES -A SYNFLOOD -j LOG --log-level debug
                $IPTABLES -A SYNFLOOD -p tcp -m limit --limit 1/s --limit-burst 4 -j RETURN
                $IPTABLES -A SYNFLOOD -j DROP

                # Allow only SYN packets
                $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

                # NULL TCP, XMASTREE etc.
                $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
                $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
                $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
                $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN FIN -m state --state NEW -j REJECT --reject-with tcp-reset
                $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 2/s -j ACCEPT

                # Corrupted packets
                $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset

                # Fragmented packets
                $IPTABLES -A INPUT -f -j DROP

                # Ping DoS
                $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules ComputerHermit_ Linux - Security 9 04-11-2007 06:50 AM
need help with iptables rules asimov Linux - Security 2 07-19-2006 02:44 PM
Iptables Rules metallica1973 Linux - Security 26 09-14-2005 12:10 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Darin Linux - Security 1 01-23-2003 04:32 PM


All times are GMT -5. The time now is 03:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration